CN112769792A - ISP attack detection method and device, electronic equipment and storage medium - Google Patents

ISP attack detection method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN112769792A
CN112769792A CN202011612734.7A CN202011612734A CN112769792A CN 112769792 A CN112769792 A CN 112769792A CN 202011612734 A CN202011612734 A CN 202011612734A CN 112769792 A CN112769792 A CN 112769792A
Authority
CN
China
Prior art keywords
information
dom
isp
attack
hash value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011612734.7A
Other languages
Chinese (zh)
Other versions
CN112769792B (en
Inventor
范敦球
李文瑾
吴铁军
王蕴佳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Original Assignee
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nsfocus Technologies Inc, Nsfocus Technologies Group Co Ltd filed Critical Nsfocus Technologies Inc
Priority to CN202011612734.7A priority Critical patent/CN112769792B/en
Publication of CN112769792A publication Critical patent/CN112769792A/en
Application granted granted Critical
Publication of CN112769792B publication Critical patent/CN112769792B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses an ISP attack detection method, a device, electronic equipment and a storage medium, wherein the method comprises the following steps: acquiring first Document Object Model (DOM) information of a currently browsed first webpage; acquiring second DOM information of the first webpage in a pre-stored white list, and judging whether the first DOM information is the same as the second DOM information; if yes, determining that the ISP attack does not exist on the first webpage, and if not, determining that the ISP attack exists on the first webpage. The ISP attack detection method provided by the embodiment of the invention does not need security personnel to analyze the page content, solves the problems of time and labor consumption in the prior art for detecting the ISP attack, and greatly improves the detection efficiency.

Description

ISP attack detection method and device, electronic equipment and storage medium
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method and an apparatus for detecting ISP attacks, an electronic device, and a storage medium.
Background
Network hijacking attacks are generally divided into two types, one is domain name system DNS hijacking attack, and the other is operator ISP (internet Service provider) hijacking attack (hereinafter collectively referred to as ISP attack). For DNS hijack attack, an attacker introduces a website to be accessed by a user to a website with a false address through maliciously modifying a DNS server of the user, so that various personal sensitive information of the user is stolen. At present, there are many mature means and products to protect and detect such attacks. But for ISP attacks the attacker may be some man-in-the-middle hacker or some operator ISP. Moreover, the ISP attack is in the form of inserting advertisement to obtain illegal profit-making. It is difficult to discriminate. Currently, detection of ISP attacks is a gap, and there is no standardized method or means. The security personnel themselves analyze the accessed page content to detect whether an ISP attack has occurred. The method is time-consuming and labor-consuming and has low detection efficiency. And ISP attacks are again a very serious and common phenomenon. Research into ISP attack detection is necessary.
Disclosure of Invention
The embodiment of the invention provides an ISP attack detection method, an ISP attack detection device, electronic equipment and a storage medium, which are used for solving the problems that in the prior art, the detection of ISP attack is time-consuming and labor-consuming and the detection efficiency is low.
The embodiment of the invention provides an ISP attack detection method, which comprises the following steps:
acquiring first Document Object Model (DOM) information of a currently browsed first webpage;
acquiring second DOM information of the first webpage in a pre-stored white list, and judging whether the first DOM information is the same as the second DOM information;
if yes, determining that the ISP attack does not exist on the first webpage, and if not, determining that the ISP attack exists on the first webpage.
Further, the acquiring the first DOM information of the currently browsed first webpage includes:
when an ISP attack detection request is received, acquiring first DOM information of the currently browsed first webpage; or when the currently browsed first webpage is judged to be a pre-stored webpage, acquiring first DOM information of the currently browsed first webpage.
Further, after the first DOM information of the currently browsed first webpage is acquired, before whether the first DOM information and the second DOM information are the same is determined, the method further includes:
performing hash calculation on the first DOM information to obtain a first hash value;
the judging whether the first DOM information is the same as the second DOM information comprises:
judging whether a second hash value corresponding to the second DOM information in a pre-stored white list is the same as the first hash value or not; and the second hash value is obtained by carrying out hash calculation on the second DOM information in advance.
Further, the performing hash calculation on the first DOM information to obtain a first hash value includes:
performing hash calculation on first DOM structure information in the first DOM information to obtain a third hash value, and performing hash calculation on response information corresponding to each first JavaScript file in the first DOM information to obtain each fourth hash value; the first hash value comprises the third hash value and each of the fourth hash values;
the judging whether a second hash value corresponding to the second DOM information in a pre-stored white list is the same as the first hash value comprises:
judging whether a fifth hash value and each sixth hash value corresponding to the second DOM information in a pre-stored white list are respectively corresponding to the same third hash value and each fourth hash value; the fifth hash value is obtained by carrying out hash calculation on second DOM structure information in the second DOM information in advance; and each sixth hash value is obtained by carrying out hash calculation on the response information corresponding to each second JavaScript file in the second DOM information in advance.
Further, after determining that the ISP attack exists on the first web page, the method further includes:
acquiring each piece of first tag information in the first DOM information, and generating a first frequency dictionary according to the occurrence frequency of each piece of first tag information;
acquiring a second frequency dictionary corresponding to the second DOM information in the pre-stored white list, wherein the second frequency dictionary is generated according to the occurrence frequency of each piece of second tag information in the second DOM information;
and determining ISP attack tag information according to the difference between the union and intersection of the first frequency dictionary and the second frequency dictionary.
Further, after acquiring each piece of first tag information in the first DOM information, before generating a first frequency dictionary according to the occurrence frequency of each piece of first tag information, the method further includes:
judging whether the first label information has sub-label information or not aiming at each piece of first label information, and if so, filtering the first label information;
wherein the second frequency dictionary is generated according to an appearance frequency of each second tag information in the second DOM information for which there is no sub-tag information.
Further, the method further comprises:
and determining the highest attack level corresponding to the ISP attack tag information according to the corresponding relation between the preset tag information and the attack level, and outputting prompt information containing the highest attack level.
In another aspect, an embodiment of the present invention provides an ISP attack detection apparatus for an operator, where the apparatus includes:
the acquisition module is used for acquiring first Document Object Model (DOM) information of a currently browsed first webpage;
the judging module is used for acquiring second DOM information of the first webpage in a pre-stored white list and judging whether the first DOM information is the same as the second DOM information;
and the first determining module is used for determining that the ISP attack does not exist on the first webpage if the judgment result of the judging module is yes, and determining that the ISP attack exists on the first webpage if the judgment result of the judging module is no.
Further, the obtaining module is specifically configured to obtain, when an ISP attack detection request is received, first DOM information of the currently browsed first web page; or when the currently browsed first webpage is judged to be a pre-stored webpage, acquiring first DOM information of the currently browsed first webpage.
Further, the apparatus further comprises:
the calculation module is used for carrying out hash calculation on the first DOM information to obtain a first hash value;
the judging module is specifically configured to judge whether a second hash value corresponding to the second DOM information in a pre-stored white list is the same as the first hash value; and the second hash value is obtained by carrying out hash calculation on the second DOM information in advance.
Further, the calculation module is specifically configured to perform hash calculation on the first DOM structure information in the first DOM information to obtain a third hash value, and perform hash calculation on the response information corresponding to each first JavaScript file in the first DOM information to obtain each fourth hash value; the first hash value comprises the third hash value and each of the fourth hash values;
the judgment module is specifically configured to judge whether a fifth hash value and each sixth hash value corresponding to the second DOM information in a pre-stored white list are respectively corresponding to the third hash value and each fourth hash value; the fifth hash value is obtained by carrying out hash calculation on second DOM structure information in the second DOM information in advance; and each sixth hash value is obtained by carrying out hash calculation on the response information corresponding to each second JavaScript file in the second DOM information in advance.
Further, the apparatus further comprises:
the second determining module is used for acquiring each piece of first tag information in the first DOM information and generating a first frequency dictionary according to the occurrence frequency of each piece of first tag information; acquiring a second frequency dictionary corresponding to the second DOM information in the pre-stored white list, wherein the second frequency dictionary is generated according to the occurrence frequency of each piece of second tag information in the second DOM information; and determining ISP attack tag information according to the difference between the union and intersection of the first frequency dictionary and the second frequency dictionary.
Further, the apparatus further comprises:
the filtering module is used for judging whether the first label information has sub-label information or not aiming at each piece of first label information, and if so, filtering the first label information;
wherein the second frequency dictionary is generated according to an appearance frequency of each second tag information in the second DOM information for which there is no sub-tag information.
Further, the apparatus further comprises:
and the output module is used for determining the highest attack level corresponding to the ISP attack tag information according to the preset corresponding relation between the tag information and the attack level and outputting prompt information containing the highest attack level.
On the other hand, the embodiment of the invention provides electronic equipment, which comprises a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory complete mutual communication through the communication bus;
a memory for storing a computer program;
a processor for implementing any of the above method steps when executing a program stored in the memory.
In another aspect, an embodiment of the present invention provides a computer-readable storage medium, in which a computer program is stored, and the computer program, when executed by a processor, implements the method steps of any one of the above.
The embodiment of the invention provides an ISP attack detection method, a device, electronic equipment and a storage medium, wherein the method comprises the following steps: acquiring first Document Object Model (DOM) information of a currently browsed first webpage; acquiring second DOM information of the first webpage in a pre-stored white list, and judging whether the first DOM information is the same as the second DOM information; if yes, determining that the ISP attack does not exist on the first webpage, and if not, determining that the ISP attack exists on the first webpage.
The technical scheme has the following advantages or beneficial effects:
an attacker considering an ISP attack inserts advertisements not belonging to the visited website to obtain a profit. The advertisement insertion mode comprises the steps of loading illegal pictures by inserting additional HTML codes, such as < img > and the like, and also can be implemented by modifying the existing < img > src content; or the pop-up of the illegal advertisement window can be realized by modifying or adding the CSS code and the JS code. Through the analysis, the ISP attack can cause the change of the page structure, thereby changing the DOM information. Based on this, in the embodiment of the present invention, the electronic device obtains the first DOM information of the currently browsed first web page, and obtains the second DOM information of the first web page in the stored white list, when the first DOM information is the same as the second DOM information, it is determined that the DOM information of the currently browsed first web page is not changed, at this time, it is determined that there is no ISP attack on the first web page, and when the first DOM information is different from the second DOM information, it is determined that the DOM information of the currently browsed first web page is changed, at this time, it is determined that there is an ISP attack on the first web page. The ISP attack detection method provided by the embodiment of the invention does not need security personnel to analyze the page content, solves the problems of time and labor consumption in the prior art for detecting the ISP attack, and greatly improves the detection efficiency.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic diagram of an ISP attack detection process provided by an embodiment of the present invention;
fig. 2 is a structural diagram of an ISP attack detection system according to an embodiment of the present invention;
FIG. 3 is an exemplary diagram of a consistent query provided by an embodiment of the invention;
FIG. 4 is an exemplary diagram of differential queries provided by an embodiment of the present invention;
FIG. 5 is another exemplary diagram of a differential query according to an embodiment of the present invention;
FIG. 6 is a diagram illustrating a result return example in a differential query according to an embodiment of the present invention;
FIG. 7 is a block diagram of an ISP detection system for individual users provided by an embodiment of the present invention;
FIG. 8 is a block diagram of an ISP detection system for an enterprise provided by an embodiment of the present invention;
fig. 9 is a schematic structural diagram of an ISP attack detection apparatus according to an embodiment of the present invention;
fig. 10 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the attached drawings, and it should be understood that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1:
fig. 1 is a schematic diagram of an attack detection process of an ISP according to an embodiment of the present invention, which includes the following steps:
s101: and acquiring first Document Object Model (DOM) information of a currently browsed first webpage.
S102: and acquiring second DOM information of the first webpage in a pre-stored white list, judging whether the first DOM information is the same as the second DOM information, if so, performing S103, and if not, performing S104.
S103: determining that the first web page is free of an ISP attack.
S104: and determining that the ISP attack exists on the first webpage.
The method for detecting the attack of the ISP of the operator is applied to the electronic equipment, and the electronic equipment can be gateway equipment, a tablet computer, a PC and other equipment with a protection function.
In the embodiment of the present invention, a currently browsed web page is referred to as a first web page, and document Object model DOM (document Object model) information of the first web page is referred to as first DOM information. The electronic device may obtain first DOM information of a first web page.
The electronic equipment prestores a white list, and the white list records a safe webpage and corresponding DOM information. After the electronic equipment acquires the first DOM information of the currently browsed first webpage, acquiring the second DOM information of the first webpage in the white list. And then judging whether the first DOM information is the same as the second DOM information. The DOM information provides an access model for the entire document, taking the document as a tree structure, where each node of the tree represents an HTML tag or text item within a tag. Therefore, in determining whether the first DOM information and the second DOM information are the same, it may be determined whether each HTML tag in the first DOM information and the second DOM information and a text item within the tag are the same. And if each HTML tag in the first DOM information and the second DOM information is the same as the text item in the tag, indicating that the first DOM information and the second DOM information are the same, otherwise indicating that the first DOM information and the second DOM information are different. And if the first DOM information is different from the second DOM information, determining that the ISP attack exists on the first webpage.
In the embodiment of the invention, the attacker who considers the ISP attack inserts the advertisements which do not belong to the accessed website so as to obtain the profit. The advertisement insertion mode comprises the steps of loading illegal pictures by inserting additional HTML codes, such as < img > and the like, and also can be implemented by modifying the existing < img > src content; or the pop-up of the illegal advertisement window can be realized by modifying or adding the CSS code and the JS code. Through the analysis, the ISP attack can cause the change of the page structure, thereby changing the DOM information. Based on this, in the embodiment of the present invention, the electronic device obtains the first DOM information of the currently browsed first web page, and obtains the second DOM information of the first web page in the stored white list, when the first DOM information is the same as the second DOM information, it is determined that the DOM information of the currently browsed first web page is not changed, at this time, it is determined that there is no ISP attack on the first web page, and when the first DOM information is different from the second DOM information, it is determined that the DOM information of the currently browsed first web page is changed, at this time, it is determined that there is an ISP attack on the first web page. The ISP attack detection method provided by the embodiment of the invention does not need security personnel to analyze the page content, solves the problems of time and labor consumption in the prior art for detecting the ISP attack, and greatly improves the detection efficiency.
Example 2:
in order to reduce power consumption of ISP attack detection, on the basis of the foregoing embodiment, in an embodiment of the present invention, the acquiring first DOM information of a currently browsed first web page includes:
when an ISP attack detection request is received, acquiring first DOM information of the currently browsed first webpage; or when the currently browsed first webpage is judged to be a pre-stored webpage, acquiring first DOM information of the currently browsed first webpage.
In the embodiment of the invention, when a user browses a webpage, the user can actively initiate an ISP attack detection request, and after receiving the ISP attack detection request, the electronic equipment acquires the first DOM information of the currently browsed first webpage and carries out the subsequent ISP attack detection process. Or the electronic device may pre-store the web pages that need to be subjected to ISP attack detection to ensure the safe use of the web pages, and the electronic device first determines that the currently browsed first web page is the pre-stored web page, and if so, acquires the first DOM information of the currently browsed first web page and performs a subsequent ISP attack detection process, otherwise, does not perform the ISP attack detection process.
When a user browses a webpage by using a personal computer, the user can actively initiate an ISP attack detection request, and after the electronic equipment receives the ISP attack detection request, the subsequent ISP attack detection process is carried out. If some specific web pages need to be protected, the electronic device may pre-store the web pages that need to be subjected to ISP attack detection, and the electronic device first determines that the currently browsed first web page is the pre-stored web page, and if so, performs a subsequent ISP attack detection process, otherwise, does not perform the ISP attack detection process.
In the embodiment of the invention, when an ISP attack detection request is received, the first DOM information of the currently browsed first webpage is acquired; or when the currently browsed first webpage is judged to be a pre-stored webpage, acquiring first DOM information of the currently browsed first webpage. The power consumption of ISP attack detection is reduced, and meanwhile, targeted detection is realized on some webpages.
Example 3:
in order to improve the efficiency of ISP attack detection, on the basis of the foregoing embodiments, in an embodiment of the present invention, after acquiring first DOM information of a currently browsed first web page, before determining whether the first DOM information and the second DOM information are the same, the method further includes:
performing hash calculation on the first DOM information to obtain a first hash value;
the judging whether the first DOM information is the same as the second DOM information comprises:
judging whether a second hash value corresponding to the second DOM information in a pre-stored white list is the same as the first hash value or not; and the second hash value is obtained by carrying out hash calculation on the second DOM information in advance.
After the electronic equipment acquires the first DOM information of the currently browsed first webpage, performing hash calculation on the first DOM information to obtain a first hash value. And the electronic equipment also carries out hash calculation on each DOM information in the white list in advance to obtain a corresponding hash value. In the embodiment of the present invention, the hash value obtained by performing hash calculation on the second DOM information in advance is referred to as a second hash value. And then, whether the ISP attack exists on the first webpage is detected by judging whether the second hash value is the same as the first hash value. Specifically, when the second hash value is the same as the first hash value, it is determined that the ISP attack does not exist on the first web page, and when the second hash value is different from the first hash value, it is determined that the ISP attack exists on the first web page.
In the embodiment of the invention, whether ISP attack exists is detected by comparing whether the first hash value corresponding to the first DOM information is the same as the second hash value corresponding to the second DOM information. Compared with the method for detecting whether the ISP attack exists or not by judging whether each HTML tag in the first DOM information and the second DOM information is the same as the text item in the tag, the detection efficiency is improved.
Example 4:
in order to improve the accuracy of detection while ensuring the efficiency of detecting ISP attacks, on the basis of the foregoing embodiments, in an embodiment of the present invention, the performing hash calculation on the first DOM information to obtain a first hash value includes:
performing hash calculation on first DOM structure information in the first DOM information to obtain a third hash value, and performing hash calculation on response information corresponding to each first JavaScript file in the first DOM information to obtain each fourth hash value; the first hash value comprises the third hash value and each of the fourth hash values;
the judging whether a second hash value corresponding to the second DOM information in a pre-stored white list is the same as the first hash value comprises:
judging whether a fifth hash value and each sixth hash value corresponding to the second DOM information in a pre-stored white list are respectively corresponding to the same third hash value and each fourth hash value; the fifth hash value is obtained by carrying out hash calculation on second DOM structure information in the second DOM information in advance; and each sixth hash value is obtained by carrying out hash calculation on the response information corresponding to each second JavaScript file in the second DOM information in advance.
The DOM information includes DOM structure information and response information corresponding to each JavaScript file (hereinafter referred to as a JS file). In order to improve the detection accuracy, in the embodiment of the present invention, hash calculation is performed on the first DOM structure information in the first DOM information to obtain a third hash value, and hash calculation is performed on the response information corresponding to each first JavaScript file in the first DOM information to obtain each fourth hash value, where the first hash value includes the third hash value and each fourth hash value. It should be noted that, other information in the DOM information may also be subjected to hash calculation to obtain a corresponding hash value, and the hash value is included in the first hash value, that is, in the embodiment of the present invention, it is not limited that the first hash value only includes the third hash value and each fourth hash value.
In addition, the electronic equipment also carries out hash calculation on DOM structure information in the DOM information in advance aiming at each DOM information in the white list to obtain a corresponding hash value; and carrying out hash calculation on the response information corresponding to each JavaScript file in the DOM information to obtain each corresponding hash value.
In the embodiment of the invention, whether a fifth hash value and each sixth hash value corresponding to the second DOM information in the pre-stored white list are respectively corresponding to the same third hash value and each fourth hash value is judged; the fifth hash value is obtained by carrying out hash calculation on second DOM structure information in the second DOM information in advance; and each sixth hash value is obtained by carrying out hash calculation on the response information corresponding to each second JavaScript file in the second DOM information in advance. If the fifth hash value is the same as the third hash value, and each sixth hash value is the same as each fourth hash value correspondingly, determining that the ISP attack does not exist on the first webpage at this time, otherwise, determining that the ISP attack exists on the first webpage.
It should be noted that, when response information corresponding to the JavaScript file is obtained, a fetch (a method of sending a data packet by the JavaScript) needs to be performed on a path of the JavaScript file connected by the HTTP, and hash calculation is performed on the response information by using the entire returned response content as the response information, so as to obtain a corresponding hash value.
In the embodiment of the invention, the hash calculation is respectively carried out on the DOM structure information in the DOM information and the response information corresponding to each first JavaScript file, and the hash value obtained by comparison is compared with the hash value in the white list, so that the accuracy of ISP attack detection is improved compared with the case that only the hash value corresponding to the DOM information is compared.
Example 5:
in order to locate the ISP attack, on the basis of the foregoing embodiments, in an embodiment of the present invention, after determining that the ISP attack exists on the first web page, the method further includes:
acquiring each piece of first tag information in the first DOM information, and generating a first frequency dictionary according to the occurrence frequency of each piece of first tag information;
acquiring a second frequency dictionary corresponding to the second DOM information in the pre-stored white list, wherein the second frequency dictionary is generated according to the occurrence frequency of each piece of second tag information in the second DOM information;
and determining ISP attack tag information according to the difference between the union and intersection of the first frequency dictionary and the second frequency dictionary.
In the embodiment of the invention, after the electronic equipment detects that the ISP attack exists, each piece of first tag information in the first DOM information is acquired, and a first frequency dictionary is generated according to the occurrence frequency of each piece of first tag information. And the electronic equipment acquires a second frequency dictionary corresponding to second DOM information in a pre-stored white list, wherein the second frequency dictionary is generated according to the occurrence frequency of each piece of second tag information in the second DOM information. And then calculating the difference between the union and the intersection of the first frequency dictionary and the second frequency dictionary, wherein the label information obtained by the calculation result is the ISP attack label information.
In the embodiment of the invention, the ISP attack tag information is determined through the frequency dictionary of the tag information, so that the ISP attack is positioned, and convenience is provided for subsequent ISP attack protection.
Example 6:
to avoid information redundancy in the process of locating an ISP attack, on the basis of the foregoing embodiments, in an embodiment of the present invention, after acquiring each piece of first tag information in the first DOM information, before generating a first frequency dictionary according to an occurrence frequency of each piece of first tag information, the method further includes:
judging whether the first label information has sub-label information or not aiming at each piece of first label information, and if so, filtering the first label information;
wherein the second frequency dictionary is generated according to an appearance frequency of each second tag information in the second DOM information for which there is no sub-tag information.
In the embodiment of the present invention, if sub-tag information exists in located ISP attack tag information, all sub-tag information is also regarded as ISP attack tag information, which may cause redundancy of tag information. Similarly, when the electronic device determines in advance that the second frequency dictionary is generated according to the occurrence frequency of each piece of second tag information in the second DOM information, the electronic device also generates the second frequency dictionary according to the occurrence frequency of each piece of second tag information in the second DOM information, in which the sub-tag information does not exist.
In the embodiment of the invention, a first frequency dictionary is generated according to the occurrence frequency of each first tag information without sub-tag information in the first DOM information, a second frequency dictionary is generated according to the occurrence frequency of each second tag information without sub-tag information in the second DOM information, and then ISP attack tag information is determined according to the difference between the union and intersection of the first frequency dictionary and the second frequency dictionary. This avoids the redundancy of the ISP attack tag information. The tag information in the embodiment of the present invention includes tag name information, tag attribute information, and tag content information.
Example 7:
in order to further improve the user experience, on the basis of the foregoing embodiments, in an embodiment of the present invention, the method further includes:
and determining the highest attack level corresponding to the ISP attack tag information according to the corresponding relation between the preset tag information and the attack level, and outputting prompt information containing the highest attack level.
In the embodiment of the present invention, the electronic device may store a preset corresponding relationship between the tag information and the attack level, for example, the attack level corresponding to the tag information related to the JS file is the highest level attack, the attack level corresponding to the tag information related to the pop-up window is the second highest level attack, the attack level corresponding to the tag information related to the picture is the middle level attack, and the attack level corresponding to the other tag information is the lowest level attack, which is the low level attack. After the electronic equipment determines the ISP attack tag information, the highest attack level corresponding to the ISP attack tag information is determined according to the preset corresponding relation between the tag information and the attack level, and prompt information containing the highest attack level is output. For example, if it is determined that the ISP attack tag information includes tag information related to the JS file, prompt information including a high-level attack is output, and if it is determined that the ISP attack tag information does not include tag information related to the JS file and includes tag information related to a pop-up window, prompt information including a medium-level attack is output. The prompt message may be a text message or the like.
The ISP attack detection process is described in detail below by way of specific examples. The embodiment of the invention is used for detecting whether the network environment of the user is attacked by the ISP.
First, an ISP attack is one where the attacker has control over your streamline with the goal of inserting advertisements that do not belong to visiting a website, thereby gaining a profit. There are many ways to implement advertisement insertion, such as the following are common: and (3) inserting illegal pictures: loading of illegal pictures is achieved by inserting additional HTML code, such as < img >, etc. Loading illegal pictures can also be realized by modifying the existing < img > rcc content. Inserting an illegal pop-up window: the popup of the illegal advertisement window can be realized by modifying or adding the CSS code and the JS code, which is commonly seen in the popup small window at the lower right corner of the screen. These insertion methods all lead to a result of changes to the page structure, which affects the structure of the DOM tree. An insert or delete operation may result in a change of a DOM tree node (nodes). Modifying the contents of the file may result in a change in the contents of the DOM tree. Therefore, the core idea of the embodiment of the present invention is to obtain the target DOM information of the currently browsed web page and the DOM information of the corresponding web page in the white list by detecting the change of the DOM information and using a statistical method to perform difference judgment, and finally judge whether the network of the user has ISP attack or not.
The embodiment of the invention has two sets of implementation schemes, one is enterprise-oriented and the other is individual user-oriented. Both the two are obtained by the electronic device, and the white list is obtained by obtaining and storing the safe DOM information. The white list becomes a reference object, and difference judgment is carried out on DOM information of the page accessed by the user, so that whether ISP attack occurs or not is detected. In the embodiment of the invention, the electronic device can be a server deployed at a cloud, and the server accesses a website through the cloud and acquires and stores safe DOM information to obtain a white list.
In a commercial network, with the advancement of science and technology, a merchant can place a server in the cloud, so that the maintenance and management cost can be reduced, and meanwhile, the flexibility is high. The electronic equipment (including the server) for ISP detection provided by the embodiment of the invention can also be attached to the same cloud, so that the communication between the server provided by the embodiment of the invention and the server of the merchant belongs to the internal communication of the cloud, and point-to-point tunnel encryption is carried out, so that the communication between the server provided by the embodiment of the invention and the server of the merchant can be ensured not to be hijacked, even if the website of the merchant is based on HTTP. As shown in fig. 2, the user (merchant server) may access the website through the operator, or may communicate with the security vendor (server provided by the embodiment of the present invention) through the operator.
In some other unit networks, servers of a part of websites are also placed in the cloud, which is consistent with the above situation. Some web servers use their own servers, and for such servers, it is necessary to acquire healthy DOM information in a peer-to-peer manner. And ensuring the safety of the DOM information by adopting a hash (hash) utility method. The unit carries out Hash operation on the DOM information of the unit and sends the Hash operation to the security manufacturer, and the security manufacturer carries out Hash operation according to the obtained DOM information and compares the Hash operation with the DOM information to ensure consistency.
In the embodiment of the invention, the level of ISP attack is divided. The attack means comprises two modes of code modification and code insertion, wherein each mode comprises img (picture) related label information, pop-up windows related label information, js (JavaScript file) related label information and other label information elements. The attack level division is shown in the following table:
risk level assessment Insert into Modifying
JS file Height of Height of
Pop-up windows In In
img In In
Other elements Medium low and high Is low in
After the electronic equipment determines the ISP attack tag information, the highest attack level corresponding to the ISP attack tag information is determined according to the preset corresponding relation between the tag information and the attack level, and prompt information containing the highest attack level is output.
The ISP detection process provided by the embodiment of the invention comprises consistency query and difference query. The consistency query is used for querying whether the two DOM information are the same or not, the difference query is used for positioning which label information is different, and the label information with the difference is ISP attack label information.
In the consistency query, the following description will be given by taking fig. 3 as an example. One is a query for HTML and one is a content query for JS files. In the HTML query, DOM structure information is an Object, and Hash calculation is carried out on the Object to obtain a Hash value of the DOM structure information. Then there is Hash (DOM)obj)。if Hash(DOMtarget)==Hash(DOMreference) If so, it means that the fifth hash value corresponding to the second DOM information in the pre-stored white list is the same as the hash value obtained by performing hash calculation on the first DOM structure information in the first DOM information. And in the JS query, verifying the specific content in the JS file. However, there is no method for reading out the content of the JS file from document. Therefore, we do a fetch (a method of sending a data packet by JavaScript) on the path of the JavaScript file connected by HTTP, and perform a Hash check on the entire returned response content to obtain a corresponding Hash value. The secondary operation is required for each JS file. In order to judge the consistency of all the JS files, whether the Hash value corresponding to each JS file is corresponding to the white list or not can be respectively judged, or the Hash values of the JS files can be added, and the final result is used for verification. Namely, it is
Figure BDA0002873342410000161
n represents the number of JS files; JS denotes a JS file; JS (JS)kIt is the kth JS file. Finally, only two parts (i.e. HTML and JS) are obtained to obtain the hash value and be in the white listWhen the hash values of the corresponding web pages are consistent, the user can determine that the web page accessed by the user is not attacked by the ISP. Otherwise, there may be variability. A further differential query is required. It should be noted that, in the consistency query of the JS file, the JS file may be taken out one by one, and hash (fetch) is performed once for each JS filek) ) and comparing the consistency of the results of each operation, and directly entering the next difference query once the difference is found.
In the difference query, the attributes document. As shown in fig. 4, the nodeName is used to view the name of the tag, for example, in a certain node < DIV id ═ xx' class ═ … >, the result of nodeName is DIV. attributes is used to look at attributes in a node, for example, in a certain node < img id ═ cover ' class ═ img ' src ═ cover.jpg ' href ═ http:// xxx.xxx.xxx.xxx.xxx ' > the result of attributes is id ═ cover ' class ═ img ' src ═ cover.jpg ' href:// http:// xxx.xxx.xxx. As shown in fig. 5, the innerHTML is the tag content information, for example, in a certain node < pid ═ hh' > hello >, the result of the innerHTML is "hello".
Since the InnerHTML results will return all subclasses of results. As shown in fig. 6, we only perform the inlerhtml query on the tag whose child elementcount is 0 in order to avoid redundancy that causes too much information. The lnnerhtml result that is not 0 is set to null. The label with child element count of 0 is a label without sub-label information.
In the differential query, a DOM tree is counted by using a statistical model similar to BoW (bag of words). Wherein, the keyword is composed of the three attributes. Such as:
T1={“key1”:value,“key2”:value,“key3”:value,…}
among them are:
Key1=[nodeName1,attributes1,innerHTML1]
Key2=[nodeName2,attributes2,innerHTML2]
Key3=[nodeName3,attributes3,innerHTML3]
the key is a combination of three attributes, and the value is the number of corresponding keys.
Then, the frequency of the two DOM information (target DOM information, DOM information corresponding to the white list) is represented. Dictionaries T1 (the tag frequency dictionary of DOM information returned by a user visiting a website) and T2 (the tag frequency dictionary of corresponding DOM information in the white list) are derived.
The query of the difference is realized by using a union-intersection algorithm, and comprises the following steps:
(T1∪T2)-(T1∩T2)
finally, ISP attack label information can be obtained from the result of the algorithm. And returns the results according to the highest threat level. Since the website may have cache, there may be client server side update inconsistency. We can selectively ignore low risk tag information.
In the embodiment of the invention, for the individual user, a white list + user active detection method is adopted. First, with respect to the white list. ISP attacks may occur on all HTTP traffic or for some specific HTTP sites. Therefore, security vendors can collect the DOM tree for these particular websites in a white list. These sites we call class a. The rest can perform structure collection of DOM tree for HTTP website which is accessed more frequently. Such a web site we call level B. The TREEs of all these sites are kept in the white list. Active detection with respect to the user. After a user initiates a network detection request, a level A and a level B in a plurality of websites are randomly selected in a white list. Such as taking 10 total web sites out. The user will initiate an HTTP request for these 10 web pages. And after 10 responses are returned, hashing the structure of the DOM tree and sending the hash result to the server side. And verifying the hash of the safe DOM tree corresponding to the white list of the server side, and returning the result.
For enterprises, security manufacturers provide secure network services for the enterprises on the premise of ensuring the enterprises, and adopt a method of a network probe and a white list. First, for this set of white lists implemented, the list stores the businesses that purchase the secure vendor services. The DOM tree information for these enterprises is collected and stored. For enterprises in the cloud, security vendors can obtain DOM tree information through in-cloud access. For businesses outside the cloud, such as some government websites, it is desirable to provide healthy DOM tree information themselves. With respect to network probes, security vendors deploy network probes between ISPs and individual users (which can be understood to be deployed before reaching a personal computer). And distribute the information in the white list to all probes. When the individual user browses the webpage, if the accessed flow has enterprise clients protected by the individual user, the DOM tree information returned to the individual user by the ISP is acquired, the verification is carried out on the DOM tree information and the corresponding DOM tree in the white list, and the result is returned.
Fig. 7 is a structural diagram of an ISP detection system for an individual user, and as shown in fig. 7, firstly, a security manufacturer stores a white list in which DOM information of important websites and websites which are not frequently updated in the cloud are pre-stored. The user (personal computer) installs a security vendor's product and initiates an active network detection. According to the information analysis of security manufacturers, frequently accessed websites Website 1-3 are marked, and websites government Website which are important to protect are marked. The user-initiated test, via the ISP, issues request requests to these four sites. The user gets the DOM information for these 4 sites and sends it to the security vendor in a special point-to-point fashion. And the security manufacturer obtains the DOM information sent by the user, and then finds the corresponding DOM information from the white list of the security manufacturer for consistency query. For some servers in the cloud, the security manufacturer can obtain the latest DOM information through real-time access. Finally, the verification result is returned to the user.
Fig. 8 is a diagram showing the structure of an ISP detection system for an enterprise, and as shown in fig. 8, first, the enterprise purchases a network service provided by a security vendor and provides its own DOM information. The security vendor stores this information in a white list. The security vendor deploys network probes (network probes in fig. 8) on the network before reaching the user. And share its own white list information to the probes. And identifying the flow of the user, if the enterprise protected by the user exists, extracting DOM information of the enterprise, and comparing and verifying the DOM information with the DOM information in the white list. For example, web1, web2 and the government web purchase network services of security vendors, and when a user visits all the websites in the graph, the probes only verify and detect the three networks and do not protect the traffic of the web 3. And returning the result to the user and the enterprise for the network with the ISP attack.
Example 8:
fig. 9 is a schematic structural diagram of an ISP attack detection apparatus provided in an embodiment of the present invention, where the apparatus includes:
the acquiring module 91 is configured to acquire first document object model DOM information of a currently browsed first webpage;
the judging module 92 is configured to acquire second DOM information of the first webpage in a pre-stored white list, and judge whether the first DOM information is the same as the second DOM information;
a first determining module 93, configured to determine that the ISP attack does not exist on the first web page if the determination result of the determining module is yes, and determine that the ISP attack exists on the first web page if the determination result of the determining module is no.
The obtaining module 91 is specifically configured to, when an ISP attack detection request is received, obtain first DOM information of the currently browsed first web page; or when the currently browsed first webpage is judged to be a pre-stored webpage, acquiring first DOM information of the currently browsed first webpage.
The device further comprises:
a calculating module 94, configured to perform hash calculation on the first DOM information to obtain a first hash value;
the determining module 92 is specifically configured to determine whether a second hash value corresponding to the second DOM information in a pre-stored white list is the same as the first hash value; and the second hash value is obtained by carrying out hash calculation on the second DOM information in advance.
The calculating module 94 is specifically configured to perform hash calculation on the first DOM structure information in the first DOM information to obtain a third hash value, and perform hash calculation on the response information corresponding to each first JavaScript file in the first DOM information to obtain each fourth hash value; the first hash value comprises the third hash value and each of the fourth hash values;
the determining module 92 is specifically configured to determine whether a fifth hash value and each sixth hash value corresponding to the second DOM information in a pre-stored white list are respectively corresponding to the same third hash value and each fourth hash value; the fifth hash value is obtained by carrying out hash calculation on second DOM structure information in the second DOM information in advance; and each sixth hash value is obtained by carrying out hash calculation on the response information corresponding to each second JavaScript file in the second DOM information in advance.
The device further comprises:
a second determining module 95, configured to obtain each piece of first tag information in the first DOM information, and generate a first frequency dictionary according to an occurrence frequency of each piece of first tag information; acquiring a second frequency dictionary corresponding to the second DOM information in the pre-stored white list, wherein the second frequency dictionary is generated according to the occurrence frequency of each piece of second tag information in the second DOM information; and determining ISP attack tag information according to the difference between the union and intersection of the first frequency dictionary and the second frequency dictionary.
The device further comprises:
a filtering module 96, configured to determine, for each piece of first tag information, whether sub-tag information exists in the piece of first tag information, and if so, filter the piece of first tag information;
wherein the second frequency dictionary is generated according to an appearance frequency of each second tag information in the second DOM information for which there is no sub-tag information.
The device further comprises:
and an output module 97, configured to determine a highest attack level corresponding to the ISP attack tag information according to a preset correspondence between the tag information and the attack level, and output prompt information including the highest attack level.
Example 9:
on the basis of the foregoing embodiments, an embodiment of the present invention further provides an electronic device, as shown in fig. 10, including: the system comprises a processor 301, a communication interface 302, a memory 303 and a communication bus 304, wherein the processor 301, the communication interface 302 and the memory 303 complete mutual communication through the communication bus 304;
the memory 303 has stored therein a computer program which, when executed by the processor 301, causes the processor 301 to perform the steps of:
acquiring first Document Object Model (DOM) information of a currently browsed first webpage;
acquiring second DOM information of the first webpage in a pre-stored white list, and judging whether the first DOM information is the same as the second DOM information;
if yes, determining that the ISP attack does not exist on the first webpage, and if not, determining that the ISP attack exists on the first webpage.
Based on the same inventive concept, the embodiment of the present invention further provides an electronic device, and as the principle of the electronic device for solving the problem is similar to the ISP attack detection method, the implementation of the electronic device may refer to the implementation of the method, and repeated details are not repeated.
The electronic device provided by the embodiment of the invention can be a desktop computer, a portable computer, a smart phone, a tablet computer, a Personal Digital Assistant (PDA), a network side device and the like.
The communication bus mentioned in the electronic device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface 302 is used for communication between the above-described electronic apparatus and other apparatuses.
The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Alternatively, the memory may be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a central processing unit, a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an application specific integrated circuit, a field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or the like.
When the processor executes the program stored in the memory in the embodiment of the invention, the first Document Object Model (DOM) information of the currently browsed first webpage is acquired; acquiring second DOM information of the first webpage in a pre-stored white list, and judging whether the first DOM information is the same as the second DOM information; if yes, determining that the ISP attack does not exist on the first webpage, and if not, determining that the ISP attack exists on the first webpage. In the embodiment of the invention, the electronic equipment acquires first DOM information of a currently browsed first webpage, acquires second DOM information of the first webpage in a stored white list, and when the first DOM information is the same as the second DOM information, the DOM information of the currently browsed first webpage is not changed, at the moment, the first webpage is determined to have no ISP attack, and when the first DOM information is different from the second DOM information, the DOM information of the currently browsed first webpage is changed, and at the moment, the first webpage is determined to have the ISP attack. The ISP attack detection method provided by the embodiment of the invention does not need security personnel to analyze the page content, solves the problems of time and labor consumption in the prior art for detecting the ISP attack, and greatly improves the detection efficiency.
Example 10:
on the basis of the foregoing embodiments, an embodiment of the present invention further provides a computer storage readable storage medium, in which a computer program executable by an electronic device is stored, and when the program is run on the electronic device, the electronic device is caused to execute the following steps:
acquiring first Document Object Model (DOM) information of a currently browsed first webpage;
acquiring second DOM information of the first webpage in a pre-stored white list, and judging whether the first DOM information is the same as the second DOM information;
if yes, determining that the ISP attack does not exist on the first webpage, and if not, determining that the ISP attack exists on the first webpage.
Based on the same inventive concept, embodiments of the present invention further provide a computer-readable storage medium, and since a principle of solving a problem when a processor executes a computer program stored in the computer-readable storage medium is similar to that of an ISP attack detection method, implementation of the computer program stored in the computer-readable storage medium by the processor may refer to implementation of the method, and repeated details are not repeated.
The computer readable storage medium may be any available medium or data storage device that can be accessed by a processor in an electronic device, including but not limited to magnetic memory such as floppy disks, hard disks, magnetic tape, magneto-optical disks (MOs), etc., optical memory such as CDs, DVDs, BDs, HVDs, etc., and semiconductor memory such as ROMs, EPROMs, EEPROMs, non-volatile memory (NAND FLASH), Solid State Disks (SSDs), etc.
The computer program is stored in a computer readable storage medium provided by the embodiment of the invention, and when being executed by a processor, the computer program realizes the acquisition of DOM information of a first document object model of a currently browsed first webpage; acquiring second DOM information of the first webpage in a pre-stored white list, and judging whether the first DOM information is the same as the second DOM information; if yes, determining that the ISP attack does not exist on the first webpage, and if not, determining that the ISP attack exists on the first webpage. In the embodiment of the invention, the electronic equipment acquires first DOM information of a currently browsed first webpage, acquires second DOM information of the first webpage in a stored white list, and when the first DOM information is the same as the second DOM information, the DOM information of the currently browsed first webpage is not changed, at the moment, the first webpage is determined to have no ISP attack, and when the first DOM information is different from the second DOM information, the DOM information of the currently browsed first webpage is changed, and at the moment, the first webpage is determined to have the ISP attack. The ISP attack detection method provided by the embodiment of the invention does not need security personnel to analyze the page content, solves the problems of time and labor consumption in the prior art for detecting the ISP attack, and greatly improves the detection efficiency.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims (10)

1. A method for detecting an attack on an ISP of an operator, the method comprising:
acquiring first Document Object Model (DOM) information of a currently browsed first webpage;
acquiring second DOM information of the first webpage in a pre-stored white list, and judging whether the first DOM information is the same as the second DOM information;
if yes, determining that the ISP attack does not exist on the first webpage, and if not, determining that the ISP attack exists on the first webpage.
2. The method of claim 1, wherein obtaining first DOM information for a currently browsed first web page comprises:
when an ISP attack detection request is received, acquiring first DOM information of the currently browsed first webpage; or when the currently browsed first webpage is judged to be a pre-stored webpage, acquiring first DOM information of the currently browsed first webpage.
3. The method of claim 1, wherein after obtaining the first DOM information of the currently browsed first web page, before determining whether the first DOM information and the second DOM information are the same, the method further comprises:
performing hash calculation on the first DOM information to obtain a first hash value;
the judging whether the first DOM information is the same as the second DOM information comprises:
judging whether a second hash value corresponding to the second DOM information in a pre-stored white list is the same as the first hash value or not; and the second hash value is obtained by carrying out hash calculation on the second DOM information in advance.
4. The method of claim 3, wherein hashing the first DOM information to obtain a first hash value comprises:
performing hash calculation on first DOM structure information in the first DOM information to obtain a third hash value, and performing hash calculation on response information corresponding to each first JavaScript file in the first DOM information to obtain each fourth hash value; the first hash value comprises the third hash value and each of the fourth hash values;
the judging whether a second hash value corresponding to the second DOM information in a pre-stored white list is the same as the first hash value comprises:
judging whether a fifth hash value and each sixth hash value corresponding to the second DOM information in a pre-stored white list are respectively corresponding to the same third hash value and each fourth hash value; the fifth hash value is obtained by carrying out hash calculation on second DOM structure information in the second DOM information in advance; and each sixth hash value is obtained by carrying out hash calculation on the response information corresponding to each second JavaScript file in the second DOM information in advance.
5. The method of claim 1, wherein after the determination that the first web page has an ISP attack, the method further comprises:
acquiring each piece of first tag information in the first DOM information, and generating a first frequency dictionary according to the occurrence frequency of each piece of first tag information;
acquiring a second frequency dictionary corresponding to the second DOM information in the pre-stored white list, wherein the second frequency dictionary is generated according to the occurrence frequency of each piece of second tag information in the second DOM information;
and determining ISP attack tag information according to the difference between the union and intersection of the first frequency dictionary and the second frequency dictionary.
6. The method of claim 5, wherein after obtaining each of the first DOM information, and before generating a first frequency dictionary based on a frequency of occurrence of the each of the first DOM information, the method further comprises:
judging whether the first label information has sub-label information or not aiming at each piece of first label information, and if so, filtering the first label information;
wherein the second frequency dictionary is generated according to an appearance frequency of each second tag information in the second DOM information for which there is no sub-tag information.
7. The method of claim 5, wherein the method further comprises:
and determining the highest attack level corresponding to the ISP attack tag information according to the corresponding relation between the preset tag information and the attack level, and outputting prompt information containing the highest attack level.
8. An operator ISP attack detection apparatus, the apparatus comprising:
the acquisition module is used for acquiring first Document Object Model (DOM) information of a currently browsed first webpage;
the judging module is used for acquiring second DOM information of the first webpage in a pre-stored white list and judging whether the first DOM information is the same as the second DOM information;
and the first determining module is used for determining that the ISP attack does not exist on the first webpage if the judgment result of the judging module is yes, and determining that the ISP attack exists on the first webpage if the judgment result of the judging module is no.
9. An electronic device is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor and the communication interface are used for realizing mutual communication by the memory through the communication bus;
a memory for storing a computer program;
a processor for implementing the method steps of any one of claims 1 to 7 when executing a program stored in the memory.
10. A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, which computer program, when being executed by a processor, carries out the method steps of any one of claims 1 to 7.
CN202011612734.7A 2020-12-30 2020-12-30 ISP attack detection method and device, electronic equipment and storage medium Active CN112769792B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011612734.7A CN112769792B (en) 2020-12-30 2020-12-30 ISP attack detection method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011612734.7A CN112769792B (en) 2020-12-30 2020-12-30 ISP attack detection method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN112769792A true CN112769792A (en) 2021-05-07
CN112769792B CN112769792B (en) 2023-05-02

Family

ID=75696112

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011612734.7A Active CN112769792B (en) 2020-12-30 2020-12-30 ISP attack detection method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN112769792B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20230188565A1 (en) * 2021-12-15 2023-06-15 International Business Machines Corporation Detecting web resources spoofing through stylistic fingerprints

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8516590B1 (en) * 2009-04-25 2013-08-20 Dasient, Inc. Malicious advertisement detection and remediation
CN107016043A (en) * 2017-02-14 2017-08-04 阿里巴巴集团控股有限公司 A kind of information processing method and device
CN108366058A (en) * 2018-02-07 2018-08-03 平安普惠企业管理有限公司 Method, apparatus, equipment and the storage medium for preventing advertisement operators flow from kidnapping
CN108494762A (en) * 2018-03-15 2018-09-04 广州优视网络科技有限公司 Web access method, device and computer readable storage medium, terminal
WO2018209465A1 (en) * 2017-05-15 2018-11-22 深圳市卓希科技有限公司 Webpage access control method and gateway device
CN108989266A (en) * 2017-05-31 2018-12-11 腾讯科技(深圳)有限公司 A kind of processing method for preventing webpage from kidnapping and client and server
CN111159775A (en) * 2019-12-11 2020-05-15 中移(杭州)信息技术有限公司 Webpage tampering detection method, system and device and computer readable storage medium
CN111177614A (en) * 2019-11-22 2020-05-19 中国电子产品可靠性与环境试验研究所((工业和信息化部电子第五研究所)(中国赛宝实验室)) Source tracking method and device for injecting content to third party of webpage
CN111556036A (en) * 2020-04-20 2020-08-18 杭州安恒信息技术股份有限公司 Detection method, device and equipment for phishing attack
CN112152993A (en) * 2020-08-17 2020-12-29 杭州安恒信息技术股份有限公司 Method and device for detecting webpage hijacking, computer equipment and storage medium

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8516590B1 (en) * 2009-04-25 2013-08-20 Dasient, Inc. Malicious advertisement detection and remediation
CN107016043A (en) * 2017-02-14 2017-08-04 阿里巴巴集团控股有限公司 A kind of information processing method and device
WO2018209465A1 (en) * 2017-05-15 2018-11-22 深圳市卓希科技有限公司 Webpage access control method and gateway device
CN108989266A (en) * 2017-05-31 2018-12-11 腾讯科技(深圳)有限公司 A kind of processing method for preventing webpage from kidnapping and client and server
CN108366058A (en) * 2018-02-07 2018-08-03 平安普惠企业管理有限公司 Method, apparatus, equipment and the storage medium for preventing advertisement operators flow from kidnapping
CN108494762A (en) * 2018-03-15 2018-09-04 广州优视网络科技有限公司 Web access method, device and computer readable storage medium, terminal
CN111177614A (en) * 2019-11-22 2020-05-19 中国电子产品可靠性与环境试验研究所((工业和信息化部电子第五研究所)(中国赛宝实验室)) Source tracking method and device for injecting content to third party of webpage
CN111159775A (en) * 2019-12-11 2020-05-15 中移(杭州)信息技术有限公司 Webpage tampering detection method, system and device and computer readable storage medium
CN111556036A (en) * 2020-04-20 2020-08-18 杭州安恒信息技术股份有限公司 Detection method, device and equipment for phishing attack
CN112152993A (en) * 2020-08-17 2020-12-29 杭州安恒信息技术股份有限公司 Method and device for detecting webpage hijacking, computer equipment and storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20230188565A1 (en) * 2021-12-15 2023-06-15 International Business Machines Corporation Detecting web resources spoofing through stylistic fingerprints
US11985165B2 (en) * 2021-12-15 2024-05-14 International Business Machines Corporation Detecting web resources spoofing through stylistic fingerprints

Also Published As

Publication number Publication date
CN112769792B (en) 2023-05-02

Similar Documents

Publication Publication Date Title
CN107465651B (en) Network attack detection method and device
CN107888616B (en) Construction method of classification model based on URI and detection method of Webshell attack website
Ramesh et al. An efficacious method for detecting phishing webpages through target domain identification
US8205255B2 (en) Anti-content spoofing (ACS)
US11036855B2 (en) Detecting frame injection through web page analysis
CN108932426B (en) Unauthorized vulnerability detection method and device
Gervais et al. Quantifying web adblocker privacy
JP2019517088A (en) Security vulnerabilities and intrusion detection and remediation in obfuscated website content
CN113489713B (en) Network attack detection method, device, equipment and storage medium
US9147067B2 (en) Security method and apparatus
CN107992738B (en) Account login abnormity detection method and device and electronic equipment
CN112703496B (en) Content policy based notification to application users regarding malicious browser plug-ins
CN106992981B (en) Website backdoor detection method and device and computing equipment
CN111756724A (en) Detection method, device and equipment for phishing website and computer readable storage medium
CN107239701B (en) Method and device for identifying malicious website
WO2020000749A1 (en) Method and apparatus for detecting unauthorized vulnerabilities
RU2658878C1 (en) Method and server for web-resource classification
US9621576B1 (en) Detecting malicious websites
US11637863B2 (en) Detection of user interface imitation
CN109067794B (en) Network behavior detection method and device
Wu et al. Detect repackaged android application based on http traffic similarity
CN108270754B (en) Detection method and device for phishing website
CN112769792B (en) ISP attack detection method and device, electronic equipment and storage medium
CN108234392B (en) Website monitoring method and device
He et al. Mobile app identification for encrypted network flows by traffic correlation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant